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1.0 (U) Executive Summary 


(U) Direct Kernel Object Manipulation (DKOM) 1s a rootkit technique for hiding processes, 
drivers, and files from the system task manager and event scheduler. Process hiding via DKOM 
is accomplished by modifying the doubly linked list of active threads and processes so that 
forward and backward pointers (FLINK and BLINK) of items adjacent to the process so that 
they “point around” the process to be hidden. The task manager and event scheduler use 
EPROCESS, which relies on enumeration of the FLINKs and BLINKs to identify running 
processes, and if the FLINKs and BLINKs are modified processes become “hidden” from the 
task manager and event scheduler in Figure 2. 


(U) As discussed at recent TEMS, we decided to produce a DKOM Proof-of-Concept (PoC) for 
Windows 8.1 64-bit. The reason for writing a DKOM PoC for Windows 8.1 is to provide a PoC 
that has a longer ‘shelf-life’ than one written against Windows Vista or Windows 7 going 
forward. We had originally investigated using user-mode API calls to ZwS ystemDebugControl() 
to implement the PoC, but determined through research that it’s not practical for Windows 8.1. 
We have therefore focused out attention to writing a device driver and user application to call the 
driver as briefed at recent TEMs. 


(U) It was our hope and intention to have this PoC ready for delivery on December 23rd and 
indications as late as Monday December 22nd were that we would be able to meet that deadline, 
but we ran into some issues during testing. The issues we encountered during testing are 
described later. All other PoCs and Analysis Reports were delivered as scheduled on December 
23", We anticipate this PoC to be completed shortly after the holidays. 


(U) We have the device driver and user application designed and coded. Both are compiling and 
the device driver is installing properly on the target Windows 8.1 64-bit machine. However, 
when the user application 1s executed, the target BSODs. It appears the issue is related to kernel 
memory and we are in the process of investigating. We suspect the device driver is accessing the 
wrong memory address in kernel space. We are very close to having the PoC functioning 
properly and will have this difficult and complex PoC working in January. 


2.0 (U) Description of the PoC Technique 


(U) To implement this PoC we first need to locate the ‘ActiveProcessList’, which is in the 
EPROCESS structure and contains the FLINK and BLINK we need to adjust in order to hide the 
process of our choosing. In Windows 8.1 64-bit, the “ActiveProcessList’ happens to be at offset 
Ox2e8 as seen in Figure 1. We’ve hardcoded the offset into our driver code for the purposes of 
this PoC, but in a production capability we would check for the target Operating System and 
plug the correct offset into the code at runtime. 


(U) Once we’ve gotten access to the FLINK and BLINK we will modify them to point “around” 
the process we want to hide, thereby making them “invisible” to the system task manager and 
system management tools that rely on the information provided by the processes FLINK and 
BLINK information. This high-level description of the PoC technique is depicted in Figure 2. 
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+0x000 Waking : 
+0x000 MultipleShared : Pos 3, 1 Bit 
+0x000 Shared : Pos 4, 60 Bits 
+0x000 Value : Uints8B 
+0x000 Ptr : Ptr64 Void 
+0x2d0 CreateTime : LARGE INTEGER 
+0x000 LowPart : Uint4B 
+0x004 HighPart : Int4B 
+0x000 u > <unnamed-tag> 
+0x000 LowPart : Uint4B 
+0x004 HighPart : Int4B 
+0x000 QuadPart : Int8B 
+0x2d8 RundownProtect : _EX_RUNDOWN_REF 
+0x000 Count : Uint8B 
+0x000 Ptr >: Ptr64 Void 
Ox2e8 ActiveProcessLinks : _LIST_ENTRY 
+0x000 Flink : Ptr64 _LIST_ENTRY 
+0x000 Flink 


kd> dt_eprocess 


+0x008 Blink 

+0x008 Blink 
+0x000 Flink i = a 
+0x008 Blink : Ptr64 _LIST_ENTRY 


Ux o a9 Pf UJ 45 
+0x2£8 JobNotReallyActive : Pos 0, 1 Bit 
+0n2£8 AccountingFolded : Pos 1, 1 Bit 
+0n2£8 NewProcessReported : Pos 2, 1 Bit 
+0x2£8 ExitProcessReported : Pos 3, 1 Bit 
+0x2£8 ReportCommitChanges : Pos 4, 1 Bit 
+0x2£8 LastReportMemory : Pos 5. 1 Bit 
+0%2£8 NoWakeCharge : Pos 6, 1 Bit 
+0x2£8 HandleTableRundown : Pos 7, 1 Bit 
+0x2£8 NeedsHandleRundown : Pos 8, 1 Bit 
+0x2£8 RefTraceEnabled : Pos 9, 1 Bit 
+0x2£8 NumaAware : Pos 10, 1 Bit 
+0x2£8 EmptyJobEvaluated : Pos 11, 1 Bit 
+0%2£8 DefaultPagePriority : Pos 12, 3 Bits 
+0x2£8 PrimaryTokenFrozen : Pos 15. 1 Bit 
+0x2£8 ProcessVerifierTarget : Pos 16, 1 Bit 
+0n2£8 StackRandomizationDisabled : Pos 17, 1 Bit 
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7 Figure 1. ActiveProcessList in EPROCESS at Offset 0x2e8 
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Figure 2. (U) Hiding a Process by Modifying FLINK and BLINK 
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3.0 (U) Current Status 


(U) We’ve reverse engineered the Windows 8.1 64-bit data structures and have determined the 
EPROCESS offsets for the elements of that structure we need to modify the target FLINKs and 
BLINKs in order to hide the processes of interest. 


(U) We’ve designed and coded both the DKOM device driver and the user application that 
interacts with the device driver to hide the processes. Both projects are compiling correctly and 
the device driver is loading properly on the Windows 8.1 64-bit target. 


(U) The DKOM device driver and the user application have been written in C language and 
compiled with Microsoft’s Visual Studio 2013. We used Microsoft’s WDK 8.1. We use Visual 
Studio 2013’s integrated driver testing facilities to connect to a remote (VMWare image) 
Windows 8.1 64-bit target. 


(U) Although both the device driver and the user application are compiling properly and the 
device driver installs properly on the target, when the user application is executed we get a hard 
bugcheck, which results in BSOD. We are in the process of tracking down the bugcheck and 
expect to have the PoC working in January. 


0€J Pique_DKOM (Running) - Microsoft Visual Studio (Administrator) v1 0 k Lau a Pe @ *X 
FILE EDIT VIEW PROJECT BUILD DEBUG TEAM TOOLS VMWARE TEST DRIVER ANALYZE WINDOW HELP A Don Bailey ~ 
o- “om 9 - . tinue ~ ’ a No A ition I is Events © = ued %. a3 8 + 9s 


Process: | [0] Kernel 
Pe) I = 


Solution Explorer Device.c : Driver J rE eee eee 
@\e-e@ of -—= *! Pique DKOM . (Global Scope) 
UNICODE_STRING usDriverName, usDosDeviceName; 
mon | : PDEVICE OBJECT pDeviceObject; 
NTSTATUS status; 
UINT uiIndex; 
WDF_OBJECT_ATTRIBUTES attributes; 


{3 Solution ‘Pique _DKOM' (2 projects) 
4 [% Pique_DKOM 
4 » Driver Files 


0 a KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, (“####ttttttttsettttttttctstctctttcittctcttttee \n"))); 
> % External Dependencies . = piles _ = 4 : z 7 
: KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL,(“HideProc DriverEntry Called\n"))); 
» Ge Header Files KdPrintEx((DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, ( “sataaatatatetaeaataatanaaaataataaataataaaataaataatatde \n"))); 
GS Resowce Fees RtlInitUnicodeString(&usDriverName, L"\\Device\\HideProc"); 
4 = Source Files RtlInitUnicodeString(&usDosDeviceName, L"\\DosDevices\\HideProc"); 
Db + Device.c 
bd ++ Driver.c status = IoCreateDevice(D » ®, &usDriverName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject) ; 
> + Queue.c if (NT_SUCCESS(status) ){ 
B ReadMe.txt for (uiIndex = @; uilndex < IRP_MJ_MAXIMUM_FUNCTION; uiIndex++) 
4 |%& Pique DKOM Package Drive t->MajorFunction[uiIndex] = HideProc_Unsupported; 
->MajorFunction[IRP_M)J_CREATE] = HideProc_Create; 
t->MajorFunction[IRP_MJ_WRITE] = HideProc_Write; 
t->MajorFunction[IRP_MJ_CLOSE] = HideProc_Close; 
t->DriverUnload = HideProc_Unload; 
pDeviceObject->Flags |= DO_DIRECT_IO; 
pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING); 
IoCreateSymbolicLink(&usDosDeviceName, &usDriverName) ; 


#8) Driver Files 
$= External Dependencies 


Registers ~ 2 X | Debugger Immediate Window 


No data available 


~H100% -~ 4 
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Figure 3. DKOM Device Driver Compiles and Loads on Target Correctly : 
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& Computer Management (Local| 4 . Target ; - 
4 i System Tools > & Audio inputs and outputs # Lee pers ne 
@ Task Scheduler t > Batteries 1 0.00000000 [1756] Instantiating class [Microsoft.DriverKit.DefaultDriverPackageInstallationClass] 
a {@] Event Viewer > & Bluetooth More Actions » 2 0.05103991 [1756] Invoking method [PerformDefaultDriverPackageInstallation] 
Shared Folders > pl Computer 3 120.04676819 [3124] ViewerConfigPath = 'C:\ProgramData\Microsoft\Event Viewer': Microsoft.Windows.ManagementU 
Local Users and Groups > eq Disk drives 4 120.04682159 [3124] ViewerViewsFolderPath = 'C:\ProgramData\Microsoft\Event Viewer\Views': Microsoft.Windows. 
@ Deshcsnmce ' rs Display adapters 5 120.04689026 [3124] ViewerAdminViewsPath = 'C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootN 
a Device Manager » 3 DVD/CD-ROM drives 6 120.04692841 [3124] ViewerExternalLogsPath = 'C:\ProgramData\Microsoft\Event Viewer\ExternalLogs': Microsoft. 
4 @3 Storage . =I Dncad dak dane 7 120.10255432 [3124] AddIcons: Microsoft.TaskScheduler.SnapiIn.TaskSchedulerExtension 
“ Disk M a Fl dri i 8 122.44635773 KIM: TmCommitTransactionExt for tx 2d513f0 
7 a ent > el Floppy drive contro} — 9  122.44638062 KIM: Notifying RM of 1 for tx 2d513£0 
iy Services and Applications > jj Human Interface Devices 10 122.44638824 KIM: TmPrepareTransaction for en 543d060 
> Gq IDE ATA/ATAPI controllers 11 122.44640350 KTM: Notifying RM of 16 for tx 28409a0 
} rs Jungo 12 122.44640350 KTM: Notifying RM of 2 for tx 2d513f0 
> & Keyboards 13. 122.44641113 KIM: TmPrepareTransaction for en 543d060 
> Hl Memory devices 14 122.44641876 KTM: Notifying RM of 32 for tx 28409a0 
> PY Mice and other pointing devices 15 122.44642639 KIM: Notifying RM of 2 for tx 2d513f0 
l XL Monitors 16 122.45918274 KIM: Notifying RM of 4 for tx 2d513f0 
t Og Network adapters 17 122.45919037 KTM: TmCommitTransactionExt for tx 28409a0 
> MB Portable Devices 18 122.45919800 KIM: Notifying RM of 4 for tx 28409a0 
> ™} Ports (COM & LPT) 19 122.45926666 KIM: Notifying RM of 64 for tx 28409a0 
> dap Print queues 20 122.45928192 KIM: TmRollbackEnlistmentExt for tx 28409a0 
B Processors 21 122.45929718 KTM: TmRollbackEnlistmentExt for tx 2d513f0 
4 Samples 22 122.45930481 KTM: TmRollbackTransactionExt for tx 28409a0 
23 122.45935822 KIM: Notifying RM of 4 for tx 2d513f0 
24 122.46674347 KTM: TmRollbackEnlistmentExt for tx 2d513f0 
> (BB Sensors 25 122.46684265 KTM: TmRollbackEnlistmentExt for tx 28409a0 
. 26 122.46690369 KIM: TmRollbackTransactionExt for tx 2d513f0 
> |] Software devices 
> % Sound, video and game controllers 
> <} Storage controllers 
> gM System devices 
> @ Universal Serial Bus controllers 
< > 
= = = 
Figure 4. DKOM Device Driver Loads on Remote Target 
res | ProcHide - Microsoft Visual Studio (Administrator) Wt D auick Launch (crr'+a P- 8 
FILE EDIT VIEW PROJECT BUILD DEBUG TEAM TOOLS VMWARE TEST DRIVER ANALYZE WINDOW HELP 7 Don Bailey * 
O-o B8-SaeY O- ‘ + | D Local Windows Debugger > Auto bd *|Release ~ Win32 ° | mt b |= % il --3|\ MZ Target ~ Bere 
o® o> obs 
Solution Explorer ~ 4x ProcHide.cp - 
@ o-#ap "RD ProcHide “| (Global Scope) ® _tmain{int argc, TCHAR * argvi]) 
Sint _tmain(int arg 
Search Solution Explorer (Ctri+ pP- 7 
{ 
fa) Solution ProcHide’ (1 project) HANDLE hFile; 
4 ®& ProcHide hpstruct hps; 


b External Dependencies 


4 a) Header Files hFile = CreateFile(_T("\\\\.\\HideProc"), 


GENERIC_READ | GENERIC_WRITE, 


B stdafx.h Ms 
B targetver.h , 
° 9 ee NULL, 
vm Resource Files OPEN_EXISTING, 
4 = Source Files FILE_ATTRIBUTE_NORMAL, 
Db + ProcHide.cpp NULL); 
++ stdafx.cpp 
 ReadMetxt if (hFile){ 


while (1){ 
printf("Enter PID: "); 
scanf_s("%d", &hps.uPid); 
hps.uFlinkOffset = guOffset; 
printf("flink offset = %x\n", hps.uFlinkOffset); 


printf("Press enter to hide another process or ‘q' to quit.\n"); 
fflush(stdin); 
if (getchar() == 'q') break; 


Output ~ 
Show output from: | Build - = ta 
1>------ Build started: Project: ProcHide, Configuration: Release Win32 ------ a 


1> ProcHide.cpp 

1> Generating code 

1> Finished generating code 

1> ProcHide.vcxproj -> C:\Users\don_8@8\Documents\Visual Studio 2013\Projects\ProcHide\Release\ProcHide.exe 


Solution Explorer I@ERaYiy 


Figure 5. User Application Compiles Correctly 
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Your PC ran into a problem and needs to restart. We're just 


collecting some error info, and then you can restart. (100% 


ae) gn)e) (230) 


If you'd like to know more, you can search online later for this 
error: PAGE FAULT IN NONPAGED AREA (Wadf01000.sys) 





Figure 6. Execution of User Application on Target BSODs 


4.0 (U) Next Steps 


(U) We will debug the target kernel during our PoC code execution to get insight into the nature 
of the BSOD. We will review the user application and driver code to find any improper memory 
address usage or IRP-based communications errors between the user application and device 
driver. We will draw on additional debug/reverse engineering resources within Blackbird to track 
down the issue(s) with the BSOD down and resolve them. 


(U) We believe we are very close to having this PoC completed. 


5.0 (U) Delivery 


(U) Per guidance received at the TEM on December 15, after describing the some of the 
development challenges, this report and the separately attached Microsoft Visual Studio 2013 
Solution files with the associated compiler settings and configurations constitutes a PoC delivery 
for December. 


(U) We expect to have the final working PoC completed and delivered in January after the 
holidays. 
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